Techniques for dynamic disk personalization

ABSTRACT

Techniques for dynamic disk personalization are provided. A virtual image that is used to create an instance of a virtual machine (VM) is altered so that disk access operations are intercepted within the VM and redirected to a service that is external to the VM. The external service manages a personalized storage for a principal, the personalized storage used to personalize the virtual image without altering the virtual image.

BACKGROUND

Increasingly, services and communication are achieved over the Internetand the World-Wide Web (WWW). Geographical location is becomingirrelevant with respect to network connectivity. Furthermore, thephysical devices used by individuals to communicate and conduct businessare increasingly becoming transparent through machine virtualizationtechniques and miniaturized.

As the industry uses more and more virtualization, there exists aproblem on how the changes made by the end user are saved and restored.The end user may start out with a standard virtual machine (VM) imagebut as soon as a new program is added, some programs are run or filesare saved, the image must be saved as an entirely new image or thechanges will be lost if the user ends and restarts the user's VM. A usercan map a personal disk to the running VM image and use it for allchanges and installs, but this does not solve the problem. The reasonfor this is that when software is installed or runs it is common for thesoftware to write to the root/boot drive. Writing to the root drivechanges the base image, such that the base image must now be saved as anew image. This entire process can consume large amounts of storage/diskand add a required step to the end user. The described situation alsoadds new ways to lose data, time, and disk space.

An example of this would be if the user installs a new application suchas Word® to a mapped drive such as “N:” on a running instance of a VMsuch as “Standard_Win32_image.” Drive N: is mapped to a personal storagedrive for the user; it could be a local drive, a network drive, or acloud drive such as “S3” via Amazon®. As Word® is installed the code iscopied to drive “N:,” which does not change the base image but as partof the install several files are also added or modified on the defaultROOT. One of these files is the Window's® Registry. The Window's®Registry is a part of the “Standard_Win32_image” and is now changed bythe user. After the install of Word® and as the user runs the Word®application, the registry continues to change as the user does any thingthat Word® is configured to “remember.”

This example of using and installing Word® is just one simple case ofhow the VM image can be changed by the user and need to be saved as anew image. As the industry moves into a Virtual Desktop Infrastructure(VDI), the problem of having many personal images will become a majorstorage and management problem.

SUMMARY

In various embodiments, techniques for dynamic disk personalization arepresented. More specifically, and in an embodiment, a method fordynamically personalizing a disk within a Virtual Machine (VM) isprovided. A request is intercepted from a principal to access storage;the request is received within a VM. The VM is defined as an instance ofa virtual image. The request is then redirected to an external datastore that is external to the virtual image. Finally, instructions arereceived from the external data store identifying a location for datathat satisfies the request.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a method for dynamically personalizing a diskwithin a VM, according to an example embodiment.

FIG. 2 is a diagram of another method for dynamically personalizing adisk within a VM, according to an example embodiment.

FIG. 3 is a diagram of a dynamic VM disk personalization system,according to an example embodiment.

DETAILED DESCRIPTION

A “resource” includes a user, service, system, device, directory, datastore, groups of users, combinations of these things, etc. A “principal”is a specific type of resource, such as an automated service or userthat acquires an identity. A designation as to what is a resource andwhat is a principal can change depending upon the context of any givennetwork transaction. Thus, if one resource attempts to access anotherresource, the actor of the transaction may be viewed as a principal.

An “identity” is something that is formulated from one or moreidentifiers and secrets that provide a statement of roles and/orpermissions that the identity has in relation to resources. An“identifier” is information, which may be private and permits anidentity to be formed, and some portions of an identifier may be publicinformation, such as a user identifier, name, etc. Some examples ofidentifiers include social security number (SSN), user identifier andpassword pair, account number, retina scan, fingerprint, face scan, etc.

A “virtual machine” (VM) may be viewed as a logical processingenvironment overlaid or superimposed on a physical device. The VM is alogical machine that is independent of its physical process environmentor physical machine. It may include its own operating system (OS), itsown file system (FS), its own directory services, etc., which may eachbe different from the physical processing environment.

A “virtual image” is a specific instance of a VM. That is, the virtualimage is the configuration data that when processed becomes an executinginstance of a VM. The virtual image creates or instantiates a specificVM.

Various embodiments of this invention can be implemented in existingnetwork architectures. For example, in some embodiments, the techniquespresented herein are implemented in whole or in part in the Novell®operating system products, directory-based products and other productsdistributed by Novell®, Inc., of Waltham, Mass.

Also, the techniques presented herein are implemented in machines, suchas processor or processor-enabled devices. These machines are configuredto specifically perform the processing of the methods and systemspresented herein. Moreover, the methods and systems are implemented andreside within computer-readable storage media and processed on themachines configured to perform the methods.

Of course, the embodiments of the invention can be implemented in avariety of architectural platforms, devices, operating and serversystems, and/or applications. Any particular architectural layout orimplementation presented herein is provided for purposes of illustrationand comprehension only and is not intended to limit aspects of theinvention.

It is within this context that embodiments of the invention are nowdiscussed within the context of FIGS. 1-3.

FIG. 1 is a diagram of a method 100 for dynamically personalizing a diskwithin a VM, according to an example embodiment. The method 100(hereinafter “VM disk personalization service”) is implemented in amachine-accessible and computer-readable medium and instructions thatexecute on one or more processors (machines, computers, processors,etc.). The machine is specifically configured to process the VM diskpersonalization service. Furthermore, the VM disk personalizationservice is operational over and processes within a network. The networkmay be wired, wireless, or a combination of wired and wireless.

According to an embodiment, the VM disk personalization service isprovided from the perspective of a dynamic storage filter service thatis implemented within a virtual image and carried as a service thatinitiates when a VM for the virtual image is started. So, the processingof the VM disk personalization service is embedded within a VM and avirtual image that defines the VM.

At 110, the VM disk personalization service intercepts a request from aprincipal (user or automated service executing within the VM) to accessstorage. The request is received from within an executing VM and that VMis defined as an instance of a virtual image.

According to an embodiment, at 111, the VM disk personalization serviceidentifies the request as one or more of: a read operation for a file, acreated operation for the file, a write operation for the file, a deleteoperation for the file, an execute operation for an application, aninstall operation for an application, and/or an uninstall operation forthe application. It is noted that a single request, such as an executeoperation can generate multiple different types of disk accessoperations, such as read, write, delete, and the like. So, it is notedthat a single request can include or cause to initiate multiple diskoperations within the VM.

At 120, the VM disk personalization service redirects the request to anexternal data store that is external to the virtual image defining theVM. So, the request is not immediately satisfied by accessing thevirtual disk or storage of the VM; rather, the request is redirected toan external data store and an external service for novel processing (asdescribed herein and below). Thus, the VM disk personalization serviceacts as a type of transparent proxy within the VM, where all VM diskaccess operations are intercepted (110) and redirected to an externalservice for handling (120).

In an embodiment, at 121, the VM disk personalization service provides aprincipal identity with the request along with principal credentials forthe external data store or external service to authenticate the requestand locate a personalized data store for the virtual image and theprincipal. That is, the external data store or external service mayhandle requests from multiple different principals and instances ofVM's, such that the principal identity provides a mechanism forenforcing and ensuring authentication and security.

At 130, the VM disk personalization service receives instructions fromthe external data store or external service (hereinafter “external datastore”) with respect to a location where data resides to satisfy therequest. It is noted that the location may be all that is needed when awrite request is occurring with the request and in such a case therequest will actually carry the write data to store at the location.

In an embodiment, at 131, the VM disk personalization service processesthe instructions to acquire the data from an external personalized datastore, which is external to the virtual image and which is loaded fromthe location into the VM.

In another situation, at 132, the VM disk personalization serviceprocesses the instructions to acquire the data from a location withinthe virtual image that defines the VM. Here, the actual request couldhave been satisfied originally from the VM via the existing virtualimage for that VM, but the instructions for acquiring the data had tocome from the external data store that handles all disk accessoperations within the VM.

In yet another case, at 133, the VM disk personalization serviceenforces a policy received with the instructions with respect to thedata. So, security such as access rights and other limitations can beenforced against the data via a configured policy.

In still more scenarios, at 134, the VM disk personalization servicelogs the request, a virtual image identifier (and/or VM identifier), aprincipal identifier, and/or the location for the data in an audit datastore that is external to the virtual image. So, an audit mechanism canbe integrated into the processing of the VM. Audits and reports cansubsequently be generated to ensure usage of the VM comports withenterprise policy and/or to identify performance bottlenecks of the VM.

FIG. 2 is a diagram of another method 200 for dynamically personalizinga disk within a VM, according to an example embodiment. The method 200(hereinafter “disk personalization service”) is implemented in amachine-accessible and computer-readable storage medium as instructionsthat execute on one or more processors of a network. The network may bewired, wireless, or a combination of wired and wireless. Furthermore,the processor (device having a processing instance of the diskpersonalization service) is specifically configured to process the diskpersonalization service.

The disk personalization service represents another aspect of the VMdisk personalization service, represented by the method 100 of theFIG. 1. Specifically, the VM disk personalization service of the method100 provides processing that occurs within a virtual image that definesan instance of a VM whereas the disk personalization service representsprocessing of the external data store or external service discussedabove with respect to the method 100. That is, the disk personalizationservice processes external to a VM and its image. So, the processing ofdisk personalization service is independent of any particular virtualimage defining any particular VM. The method 100 and the method 200cooperate and interact with one another.

At 210, the disk personalization service receives a disk access request.The disk access request originates from a VM and is defined by a virtualimage. Also, the disk access request includes a principal identifierthat identifies a principal who originated the disk access requestwithin the VM, and the disk access request includes a resourceidentifier for a resource associated with the disk access request, suchas a file, an application, a disk drive, and the like.

According to an embodiment, at 211, the disk personalization serviceacquires the disk access request from a dynamic storage filterconfigured within the virtual image and initiated with the VM. Thedynamic storage filter intercepts the disk access request in a mannerthat is transparent to the principal and externally redirects the diskaccess request to the disk personalization service. In a particularcase, the dynamic storage filter is the method 100 discussed above withrespect to the FIG. 1.

At 220, the disk personalization service searches an index for theprincipal identifier and the resource identifier for purposes ofidentifying a location for handling the disk access request. In anembodiment, the index is a database table that provides a databaseApplication Programming Interface (API) for querying and managing thedatabase table.

In an embodiment, at 221, the disk personalization service queries aglobal index with the principal identifier. The results of this queryprovide the disk personalization service with the index, which ispersonal to the principal. Once the index is acquired, the diskpersonalization service searches the index with the resource identifierto obtain the location that is to be used for handling the disk accessrequest.

According to an embodiment, at 222, the disk personalization serviceenforces a policy to resolve the index that is to be searched. Thepolicy is based on the principal identifier.

Continuing with the embodiment of 222 and at 223, the diskpersonalization service assigns a role for the principal based on theprincipal identifier. The assigned role is then used to locate the indexwithin a hierarchy of available indexes. In this manner, there can bemultiple levels of indexes that are hierarchically organized and policyand/or role or group assignments combined with identity can resolve theactual index that is used to perform the search. Each index is specificto a storage area where the disk access request is to be processed.Thus, in an enterprise environment a “development” group can includemultiple specific users and those users are to have access to programsnot available to managers. This can be achieved via a hierarchy ofindexes, each index identifying a specific storage that is used todynamically alter the virtual image at run time to provide thedevelopment users with access to their programs but the base virtualimage for the developers and the managers remains the same. Because ahierarchy is achieved, personalization can also occur within thedevelopment group based on the user level (principal identity).

At 230, the disk personalization service returns to the virtual image areference to the location for the disk access request to proceed fromwithin the virtual image or VM. So, the data or a handle to the storagearea for processing the disk access request is dynamically and in realtime altered and passed to the VM via the disk personalization service.

In an embodiment, at 231, the disk personalization service provides thevirtual image with the reference to the location where that location isdefined within an external personalized storage that is personal orspecific to the principal. So, the external personalized storage isexternal to the virtual image and is used for customizing andpersonalizing the virtual image for the principal. In other words,alterations and customizations that a user makes to their virtual imagefor their VM is recorded and noted in the external personalized storageand the disk personalization service ensures that these alterations andcustomizations are dynamically rendered and overlaid on the VM each timethe user initiates the baseline virtual image.

It may also be the case, at 232, that the disk personalization serviceprovides the virtual image with the reference to the location where thatlocation is defined and available within the virtual image. So, the diskaccess operation is processed from a location that was originallypresent within the virtual image or VM, but it was the diskpersonalization service that made the decision to permit that processingto continue from within the VM and not from an external storagelocation.

The disk personalization service provides novel processingopportunities. An enterprise can maintain a single virtual image or setsof virtual images where each image is a baseline approved by theenterprise for support. Each user can then customize and add and removeprograms as policy permits, but the baseline virtual images remainunchanged; what changes is the personalized storage for each user thatis dynamically rendered each for a user to personalize each user's VM.

FIG. 3 is a diagram of a dynamic VM disk personalization system 300,according to an example embodiment. The dynamic VM disk personalizationsystem 300 is implemented in a machine-accessible and computer-readablestorage medium as instructions that execute on one or more processors(multiprocessor) and that is operational over a network. The one or moreprocessors are specifically configured to process the components of thedynamic VM disk personalization system 300. Moreover, the network may bewired, wireless, or a combination of wired and wireless. In anembodiment, the dynamic VM disk personalization system 300 implements,inter alia, certain aspects of the methods 100 and 200 represented bythe FIGS. 1 and 2, respectively.

The dynamic VM disk personalization system 300 includes a dynamicvirtual image storage filter (DVISF) 302 and a virtual imagecustomization service (VICS) 303. In some embodiments, the dynamic VMdisk personalization system 300 also includes one or more of: anidentity service 305, one or more personal storages 306, and/or one ormore indexes 307. Each of these and their interactions with one anotherwill now be discussed in turn.

The DVISF 302 is implemented in a computer-readable storage medium andis to execute on a processor within a VM 301. That is, the DVISF 302 ispart of a virtual image that defines instances of the VM 301. Exampleprocessing associated with the DVISF 302 was provided in detail abovewith respect to the method 100 of the FIG. 1.

The DVISF 302 is configured to intercept disk access operations madewithin the VM 301. The DVISF 302 is also configured to redirect thosedisk access operations to the VICS 303. A principal that originates thedisk access operations believes that the operations are being directedto the VM disk 304 of the VM 301 but this may not always be thesituation since in some cases the operations are external to the VM 301(as discussed herein above and below).

According to an embodiment, the DVISF 302 is configured as part of thevirtual image for the VM 301. The DVISF 302 is configured to initiateand execute when the VM 301 is executed.

The VICS 303 is implemented in a computer-readable storage medium and isto execute on another processor that is external to the VM 301. Exampleprocessing associated with the VICS 303 was presented in detail abovewith reference to the method 200 of the FIG. 2.

The VICS 303 is configured to locate storage, resources, and data thatsatisfy the disk access operations. Moreover, the VICS 303 is configuredto define for the DVISF 302 the mechanisms needed for processing thedisk access operations within the VM 301 based on resolved locations forthe storage, the resources, and the data.

In an embodiment, the VICS 303 is also configured to handle and processthe disk access operations for the VM 301 and other disk accessoperations for multiple other VM's 301 of a network. So, the VICS 303can handle an entire suite of VM's 301 of a network. In such a scenario,the VICS 303 may be implemented and processed on a server of thenetwork.

In an embodiment, the dynamic VM disk personalization system 300 alsoincludes an identity service 305. The identity service 305 isimplemented in a computer-readable storage medium and is to execute onyet another processor of the network. Moreover, the identity service 305is configured to interact with the VICS 303 and/or the DVISF 302 forpurposes of providing authentication and security services when the VICS303 attempts to locate the storage, the resources, and the data tosatisfy the disk access operations.

In another scenario, the dynamic VM disk personalization system 300includes a personalized storage 306 implemented in a computer-readablestorage medium. The personalized storage 306 customized for a particularidentity of a particular principal and the VICS 303 configured to accessthe personalized storage 306 when processing the disk access operationsto personalize the VM 301 for the particular principal.

In another case, the dynamic VM disk personalization system 300 includesan index 307 (can be one or more indexes 307—hierarchy of indexes 307).The index 307 implemented in a computer-readable storage medium. TheVICS 303 configured to search the index 307 to identify and to accessspecific areas of the personalized storage 306.

The above description is illustrative, and not restrictive. Many otherembodiments will be apparent to those of skill in the art upon reviewingthe above description. The scope of embodiments should therefore bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

The Abstract is provided to comply with 37 C.F.R. §1.72(b) and willallow the reader to quickly ascertain the nature and gist of thetechnical disclosure. It is submitted with the understanding that itwill not be used to interpret or limit the scope or meaning of theclaims.

In the foregoing description of the embodiments, various features aregrouped together in a single embodiment for the purpose of streamliningthe disclosure. This method of disclosure is not to be interpreted asreflecting that the claimed embodiments have more features than areexpressly recited in each claim. Rather, as the following claimsreflect, inventive subject matter lies in less than all features of asingle disclosed embodiment. Thus the following claims are herebyincorporated into the Description of the Embodiments, with each claimstanding on its own as a separate exemplary embodiment.

The invention claimed is:
 1. A method implemented and residing within acomputer-readable storage medium that is executed by a processor of anetwork to perform the method, comprising: receiving a disk accessrequest, the disk access request originating from within a virtualmachine (VM) defined by a virtual image, the disk access requestincluding a principal identifier for a principal that originated thedisk access request within the virtual image and the disk access requestincluding a resource identifier for a resource associated with the diskaccess request; searching an index for the principal identifier and theresource identifier to identify a location for handling the disk accessrequest; and returning to the virtual image completion notification forthe disk access request and data to fulfill the disk access request; themethod processing external to the processing of the virtual image. 2.The method of claim 1, wherein receiving further includes acquiring thedisk access request from a dynamic storage filter configured within thevirtual image, the dynamic storage filter intercepts the disk accessrequest in a manner that is transparent to the principal and externallyredirects the disk access request to the method.
 3. The method of claim1, wherein searching further includes querying a global index with theprincipal identifier to locate the index for the principal and thenquerying the index with the resource identifier to obtain the location.4. The method of claim 1, wherein searching further includes enforcing apolicy to resolve the index that is searched, the policy enforced basedon the principal identifier.
 5. The method of claim 4, wherein enforcingfurther includes assigning a role for the principal based on theprincipal identifier and using the assigned role to locate the indexwithin a hierarchy of indexes.
 6. The method of claim 1, whereinreturning further includes providing the virtual image with the locationthat is defined within an external personalized storage for theprincipal, the external personalized storage is external to the virtualimage and is used for customizing and personalizing the virtual imagefor the principal.
 7. The method of claim 1, wherein returning furtherincludes providing the virtual image with the location that is definedwithin the virtual image and that was originally present on the virtualimage when the disk access request was originated by the principal.
 8. Amultiprocessor-implemented system, comprising: a dynamic virtual imagestorage filter implemented in a computer-readable storage medium and toexecute on a processor within a virtual machine (VM); and a virtualimage customization service implemented in a computer readable mediumand to execute on another processor that is external to the VM; thedynamic virtual image storage filter is configured to intercept diskaccess operations made within the VM and dynamic virtual image storagefilter further configured to redirect those disk access operations tothe virtual image customization service, the virtual image customizationservice configured to locate storage, resources, and data that satisfythe disk access operations and the virtual image customization servicefurther configured to define for the dynamic virtual image storagefilter mechanisms for processing the disk access operations within theVM based on resolved locations for the storage, the resources, and thedata.
 9. The system of claim 8, wherein the dynamic virtual imagestorage filter is configured as part of a virtual image for the VM andis configured to initiated when the VM is executed.
 10. The system ofclaim 8, wherein the virtual image customization service is configuredto handle and process the disk access operations for the VM and otherdisk access operations for multiple other VM's of a network.
 11. Thesystem of claim 8 further comprising, an identity service implemented ina computer-readable storage medium and to execute on another processor,the identity service configured to interact with the virtual imagecustomization service to provide authentication and security serviceswhen the virtual image customization service attempts to locate thestorage, the resources, and the data.
 12. The system of claim 8 furthercomprising, a personalized storage implemented in a computer-readablemedium, the personalized storage customized for a particular identity ofa particular principal, the virtual image customization serviceconfigured to access the personalized storage when processing the diskaccess operations to personalize the VM for the particular principal.13. The system of claim 12 further comprising, an index implemented in acomputer-readable storage medium, the virtual image customizationservice configured to search the index to identify and to accessspecific areas of the personalized storage.